I am trying to translate a user, to an external IP address and be accurate within 5 seconds. I have to do this using two different searches and two different sourcetypes.
I am specifically looking for the 5 second "time check" of one searches timestamps, to the other's for accuracy, and I was thinking that the "eval" command would be the best for it but i'm not sure. I would like Splunk to compare the two searches timestamps, and return only the results that are within a 5 second window of the first searches time stamps.
This is the current search
sourcetype=qds eventtype="myevent" host="machine" | join int_port[search sourcetype=net "connection"] | table _time,user,domain,user_ip,ext_ip
Is "eval" the best function to use here?
The answer to this question was to use the "transaction" function.
Here was the section that solved it:
transaction int_port startswith="some log part" endswith="some other log part" maxspan=10s
The answer to this question was to use the "transaction" function.
Here was the section that solved it:
transaction int_port startswith="some log part" endswith="some other log part" maxspan=10s
In general you can look for relationships between fields with the where command, such as this:
some search | where abs(a - b) < 5000
That would filter out any event where the difference between field a and b isn't less than 5000.
In order to do that in your case you need two _time fields, I fear in a simple join they might be muddled together in _time / one might get lost. Have you tried renaming the _time field in the second search before joining, say to time2? Doing a where on the difference between _time and time2 may yield your desired result.
Additionally, don't forget to apply the abs() function in case time1 is larger than time2.
Try grouping the arithmetic with ( ) in your where command: where ((time2-time1) < 5)
.
When I've needed to do this before, I've used eval
to create a "delta" field, representing the difference between two time values, then using a search / where to filter for delta over a certain threshold.
i just tried this, and it didn't work. the "where" command seems to be using integers. for instance
some search | where time2-time1 < 5
I think splunk sees the 5 as an integer, not seconds, and adding the 's' confuses splunk.